NAT weirdness

I have a 1811 using NAT to get our internal services out to the internet. I have 2 dns servers on the inside of our network that serve public queries.

I have a class c (provided by my ISP) for my outside interface. I have the last 11 addresses setup in a pool to allow my workstations to surf the net. I have setup static (one to one) mappings for several services inside (e-mail, www, DNS).

My DNS servers are on different class-c networks inside.

-Secondary DNS xxx.xxx.216.107 / - classC1 xxx.xxx.216.0 / Internet --1811 \\ - classC2 xxx.xxx.217.0 \\ -Primary DNS xxx.xxx.217.183

On classC1, I have an external address natted to xxx.xxx.216.107 (secondary DNS) On classC2 I have an external address natted to xxx.xxx.217.183 (primary DNS)

As long as I have the nat statement on classC1 working, DNS works properly. If I remove the classC1 staic nat, I can no longer reach the primary DNS server. If I try and create an extended NAT translation, it fails. I can not reach the primary or secondary server.

If I run debugs on the NAT, I can see that incoming DNS queries are going to xxx.xxx.217.183.

I've pasted a copy of my config (less the un-interesting bits).

show run Building configuration...

Current configuration : 13392 bytes ! version 12.4 no service pad service tcp-keepalives-in service tcp-keepalives-out service timestamps debug datetime msec localtime show-timezone service timestamps log datetime msec localtime show-timezone service password-encryption service sequence-numbers ! hostname xxxxxxxx ! boot-start-marker boot system flash c181x-advipservicesk9-mz.124-4.T1.bin boot-end-marker ! logging buffered 8192 debugging logging console critical enable secret 5 xxxxxxxxxxxxxxxxxxxxxxx ! no aaa new-model ! resource policy ! clock timezone PCTime -5 clock summer-time PCTime date Apr 6 2003 2:00 Oct 26 2003 2:00 mmi polling-interval 60 no mmi auto-configure no mmi pvc mmi snmp-timeout 180 ip subnet-zero no ip source-route ! ! no ip cef ! ! ip tcp synwait-time 10 no ip bootp server ip domain name xxxxxxxxxx.com ip name-server 198.235.216.131 ip inspect name DEFAULT100 cuseeme ip inspect name DEFAULT100 ftp ip inspect name DEFAULT100 h323 ip inspect name DEFAULT100 icmp ip inspect name DEFAULT100 netshow ip inspect name DEFAULT100 rcmd ip inspect name DEFAULT100 realaudio ip inspect name DEFAULT100 rtsp ip inspect name DEFAULT100 esmtp ip inspect name DEFAULT100 sqlnet ip inspect name DEFAULT100 streamworks ip inspect name DEFAULT100 tftp ip inspect name DEFAULT100 tcp ip inspect name DEFAULT100 udp ip inspect name DEFAULT100 vdolive ! ! crypto pki trustpoint TP-self-signed-6512184 enrollment selfsigned subject-name cn=IOS-Self-Signed-Certificate-6512184 revocation-check none rsakeypair TP-self-signed-6512184 ! ! crypto pki certificate chain TP-self-signed-6512184 certificate self-signed 01 xxxxxxxxxxxxxxxxxxxxxxxxxxx quit username xxxxxxx privilege 15 secret 5 xxxxxxxx username xxxxxxx privilege 15 secret 5 xxxxxxxx username xxxxxxx privilege 15 password 7 xxxxxxxx ! ! ! crypto isakmp policy 1 hash md5 authentication pre-share lifetime 14400 crypto isakmp key xxxxx address xx.xx..xx no-xauth crypto isakmp key xxxxxxx address 0.0.0.0 0.0.0.0 crypto isakmp client configuration address-pool local ourpool ! crypto ipsec security-association lifetime seconds 14400 ! crypto ipsec transform-set trans1 esp-des esp-md5-hmac ! crypto dynamic-map dynmap 10 set transform-set trans1 ! ! crypto map intmap client configuration address initiate crypto map intmap client configuration address respond crypto map intmap 5 ipsec-isakmp set peer xx.xx.xx.xx set transform-set trans1 match address 130 crypto map intmap 10 ipsec-isakmp dynamic dynmap ! ! ! ! interface FastEthernet0 no ip address no ip redirects no ip unreachables no ip proxy-arp ip route-cache flow shutdown duplex auto speed auto no cdp enable ! interface FastEthernet1 description $ES_WAN$$ETH-WAN$$FW_OUTSIDE$ ip address xx.xx.xx.xx 255.255.255.0 ip access-group 103 in no ip redirects no ip unreachables no ip proxy-arp ip nat outside ip virtual-reassembly ip route-cache flow speed 100 full-duplex no cdp enable crypto map intmap ! interface FastEthernet2 no cdp enable ! interface FastEthernet3 no cdp enable ! interface FastEthernet4 no cdp enable ! interface FastEthernet5 no cdp enable ! interface FastEthernet6 no cdp enable ! interface FastEthernet7 no cdp enable ! interface FastEthernet8 no cdp enable ! interface FastEthernet9 no cdp enable ! interface Dot11Radio0 no ip address no ip redirects no ip unreachables no ip proxy-arp ip route-cache flow shutdown speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0

36.0 48.0 54.0 station-role root no cdp enable ! interface Dot11Radio1 no ip address no ip redirects no ip unreachables no ip proxy-arp ip route-cache flow shutdown speed basic-6.0 9.0 basic-12.0 18.0 basic-24.0 36.0 48.0 54.0 station-role root no cdp enable ! interface Vlan1 description $ETH-SW-LAUNCH$$INTF-INFO-FE 2$$ES_LAN$$FW_INSIDE$ ip address xx.xx.xx.xx7.185 255.255.255.0 secondary ip address xx.xx.xx.xx6.185 255.255.255.0 ip nat inside ip virtual-reassembly ip route-cache flow ip tcp adjust-mss 1452 ! interface Async1 no ip address no ip redirects no ip unreachables no ip proxy-arp encapsulation slip ! ip local pool ourpool 10.2.5.1 10.2.5.254 ip classless ip forward-protocol spanning-tree ip forward-protocol udp netbios-ss ip route 0.0.0.0 0.0.0.0 xx.xx.xx.xx.1 ip route 10.2.3.0 255.255.255.0 xx.xx.xx.xx6.46 ip route 10.2.4.0 255.255.255.0 xx.xx.xx.xx6.165 ! ! ip http server ip http authentication local ip http secure-server ip http timeout-policy idle 600 life 86400 requests 10000 ip nat translation timeout 1440 ip nat pool ott-tcom-pool xx.xx.xx.xx.244 xx.xx.xx.xx.254 netmask 255.255.255.0 ip nat inside source route-map nonat pool ott-tcom-pool overload ip nat inside source static xx.xx.xx.xx7.183 xx.xx.xx.xx.5 ip nat inside source static xx.xx.xx.xx6.179 xx.xx.xx.xx.6 ip nat inside source static xx.xx.xx.xx6.26 xx.xx.xx.xx.7 ip nat inside source static xx.xx.xx.xx6.17 xx.xx.xx.xx.8 ip nat inside source static xx.xx.xx.xx6.38 xx.xx.xx.xx.9 ip nat inside source static xx.xx.xx.xx6.10 xx.xx.xx.xx.10 ip nat inside source static tcp xx.xx.xx.xx6.43 25 xx.xx.xx.xx.43 25 extendable ip nat inside source static tcp xx.xx.xx.xx6.43 53 xx.xx.xx.xx.43 53 extendable ip nat inside source static tcp xx.xx.xx.xx6.43 25 xx.xx.xx.xx.43 1525 extendable ip nat inside source static xx.xx.xx.xx6.43 xx.xx.xx.xx.43 ip nat inside source static xx.xx.xx.xx6.64 xx.xx.xx.xx.64 ip nat inside source static xx.xx.xx.xx6.107 xx.xx.xx.xx.183 ! logging trap debugging logging xx.xx.xx.xx6.162 access-list 103 remark auto generated by SDM firewall configuration access-list 103 remark SDM_ACL Category=1 access-list 103 permit udp host 198.235.216.131 eq domain host xx.xx.xx.xx.4 access-list 103 permit udp host 67.69.164.98 eq 4000 any access-list 103 permit udp host 204.225.163.189 eq non500-isakmp any access-list 103 permit udp host 207.236.49.181 eq 10001 any access-list 103 permit udp host 209.121.207.198 eq non500-isakmp any access-list 103 permit udp host 209.121.207.198 any eq 1031 access-list 103 permit udp host 209.121.207.198 any eq 1030 access-list 103 permit udp host 204.225.163.189 any eq 1030 access-list 103 permit udp host 162.89.0.37 eq 10000 any access-list 103 permit tcp any host xx.xx.xx.xx.9 eq www access-list 103 permit udp any eq domain any access-list 103 permit udp any any eq domain access-list 103 permit tcp any any established access-list 103 permit tcp any any eq 1723 access-list 103 permit gre any any access-list 103 permit esp any any access-list 103 permit ahp any any access-list 103 permit tcp any host xx.xx.xx.xx.10 eq smtp access-list 103 permit tcp any host xx.xx.xx.xx.10 eq 1525 access-list 103 permit tcp any host xx.xx.xx.xx.10 eq 443 access-list 103 permit tcp any host xx.xx.xx.xx.64 eq smtp access-list 103 permit tcp any host xx.xx.xx.xx.64 eq 1525 access-list 103 permit tcp any host xx.xx.xx.xx.64 eq 443 access-list 103 permit tcp any host xx.xx.xx.xx.64 eq pop3 access-list 103 permit tcp any host xx.xx.xx.xx.64 eq 143 access-list 103 permit tcp any host xx.xx.xx.xx.4 eq 22 access-list 103 permit tcp any host xx.xx.xx.xx.43 eq smtp access-list 103 permit tcp any host xx.xx.xx.xx.183 eq domain access-list 103 permit udp any host xx.xx.xx.xx.183 eq domain access-list 103 permit udp any host xx.xx.xx.xx.5 eq domain access-list 103 permit tcp any host xx.xx.xx.xx.5 eq domain access-list 103 permit udp any any eq isakmp access-list 103 permit udp any eq isakmp any access-list 103 permit udp any any eq non500-isakmp access-list 103 permit icmp any any echo-reply access-list 103 permit icmp any any time-exceeded access-list 103 permit icmp any any unreachable access-list 103 permit icmp any any access-list 103 deny ip 172.16.0.0 0.15.255.255 any access-list 103 deny ip 192.168.0.0 0.0.255.255 any access-list 103 deny ip 127.0.0.0 0.255.255.255 any access-list 103 deny ip host 255.255.255.255 any access-list 103 deny ip host 0.0.0.0 any access-list 103 deny ip any any log access-list 103 remark auto generated by SDM firewall configuration access-list 103 remark SDM_ACL Category=1 access-list 103 deny ip 10.0.0.0 0.255.255.255 any access-list 103 deny ip xx.xx.xx.xx6.0 0.0.0.255 any access-list 103 remark auto generated by SDM firewall configuration access-list 103 remark SDM_ACL Category=1 access-list 103 remark auto generated by SDM firewall configuration access-list 103 remark SDM_ACL Category=1 access-list 110 deny ip xx.xx.xx.xx6.0 0.0.0.255 192.168.3.0 0.0.0.255 access-list 110 deny ip xx.xx.xx.xx7.0 0.0.0.255 192.168.3.0 0.0.0.255 access-list 110 permit ip xx.xx.xx.xx6.0 0.0.0.255 any access-list 110 permit ip xx.xx.xx.xx7.0 0.0.0.255 any access-list 130 permit ip xx.xx.xx.xx6.0 0.0.0.255 192.168.3.0 0.0.0.255 access-list 130 permit ip xx.xx.xx.xx7.0 0.0.0.255 192.168.3.0 0.0.0.255 no cdp run ! route-map nonat permit 10 match ip address 110 ! ! ! ! control-plane
Reply to
Mikhael47
Loading thread data ...

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.